Introducting D-Pin Purr v1.0 – 32bit Edition

As promised in my earlier blog post, I’ve finalized the utility and made it available for download here. I won’t be releasing source code for the moment because I don’t want to encourage people to start adding this kind of code into their own malware programs, nor to encourage the Symantec folks to start unprotecting every process on the system.

So until then, have fun with the tool, whether it is to explore previously protected processes, or to try out various system and application behaviour when certain processes are made protected. Here’s a screenshot of audiodg.exe after being unprotected. Try it on your own system to see the before/after difference.

@dfranklin – I had to create [HKLM\SYSTEM\CurrentControlSet\Services\drmkaud] and add a REG_DWORD value named Type. Once I did that, dpinpurr worked. Previously, it displayed the same error (“[C0000034] – Internal error.”).

Hi Alex, thanks for the info on protected processes and your POC tool. Unfortunately, I am unable to download the tool (dpinpurr.zip) from the link provided. Seems as though the link is broken? I am in the process of writing a white paper on user-mode memory scanning (on 32-bit and 64-bit Windows) for malicious content, which requires enumerating all processes and reading their virtual address space (commit pages). I would like to try out the tool on protected processes on Vista. Also, how do you go about reading a protected process’s address space in Vista from user-mode? or kernel-mode? For memory scanning on Vista, in case of protected process, would it be useful to simply un-protect the process, read its virtual address space and then protect it back again? If the memory content is found to be malicious, it could then be flagged as malicious.